Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

modify security level

hello everyone,

Due to my mistake, I configured wrong security level.

my ASA's interface, named "inside" security level 100.

Many production servers are in the "inside" network.

so I would like to reconfigure the security level from 100 to 30.

I know it is going to affect the current connections.

Will it disconnect them?

(I think it will not disconnect them. but need to confirm again. )

Thanks in advance,

Thank you.

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

Re: modify security level

How many other interfaces do you have configured on your ASA?  Do any of these have a higher security level than the interface in question?  Do you have any ACLs configured on the interfaces including the inside interface?

If you have ACLs configured then you don't need to worry about down time as traffic flow is regulated by the ACLs.  If no ACLs are present then the security level on the interface will be in use. 

If the inside network needs to initiate traffic toward another network located on an interface with a higher security level, you will need to apply ACLs to permit traffic...that is if there are not ACLs already configured.

But as John has mention, best to do this during a maintenance window regardless of the current setup.

--

Please remember to rate and select a correct answer
Super Bronze

modify security level

Hi,

You have not mentioned if the is any ACL on the "inside", "DMZ2" or "DMZ1" interfaces?

You stated that the "outside" interface has an ACL configured.

I would personally suggest using interface ACLs instead of purely using the "security-level" value to determine what traffic is allowed.

It seems to me that since you have stated that traffic is allowed from "outside" to "inside" with ACL that the "security-level" change wont affect anything as ACL is already controlling this traffic. Not to mention the "security-level" of "inside" will still be higher than "outside", so no change there.

If we presume that NO ACLs has been configured on "DMZ1" and "DMZ2" at the moment then their hosts are not able to open connections to "inside" at the moment. This would mean that after the "security-level" change the hosts behind "DMZ1" and "DMZ2" would be able to connect to hosts/servers behind "inside"

If we presume there IS ACLs on the "DMZ1" and "DMZ2" interfaces already at this point allowing traffic that is needed to "inside" then the "security-level" change wont have any effect as all other ASA interfaces already have ACL rules allowing the traffic no matter what the "security-level" is.

With regards to the "inside" interface, if it doesnt have any ACLs configured at the moment then after the "security-level" change no connections to either "DMZ1" or "DMZ2" can be formed from behind "inside". If there is an ACL allowing all needed traffic then the change wont affect anything.

To my understanding existing connections formed through the ASA wont be affected by the "security-level" change but any new connection will be affected after the "security-level" is changed.

- Jouni

7 REPLIES

Re: modify security level

Hi,

It would be advisable to schedule a downtime or maintenance window. This will help inform your users/sever admins you'll be performing a change control and avoid any disruption in the production environment.

Sent from Cisco Technical Support iPhone App

VIP Green

Re: modify security level

How many other interfaces do you have configured on your ASA?  Do any of these have a higher security level than the interface in question?  Do you have any ACLs configured on the interfaces including the inside interface?

If you have ACLs configured then you don't need to worry about down time as traffic flow is regulated by the ACLs.  If no ACLs are present then the security level on the interface will be in use. 

If the inside network needs to initiate traffic toward another network located on an interface with a higher security level, you will need to apply ACLs to permit traffic...that is if there are not ACLs already configured.

But as John has mention, best to do this during a maintenance window regardless of the current setup.

--

Please remember to rate and select a correct answer
New Member

Re: modify security level

hi

the diagram is like this:

                        |

                        |

                        | ( outside, security level 0 )

(DMZ2,50) -----ASA -----------------------------------------( DMZ1, 70)

                        |

                        |

                        |  (inside, 100) (production servers are here)

The goal is

                        |

                        |

                        | ( outside, security level 0 )

(DMZ2,100) -----ASA -----------------------------------------( DMZ1, 70)

                        |

                        |

                        |  (inside, 50)  (production servers are here)

yes, I there is a ACL configured to control traffic from outside to inside

so I thought I can just shut down the DMZ1 and DMZ2 interfaces,

then re-configure the inside security level to 50,

then re-config DMZ1 and DMZ2 to 70 and 100.

does it work?

Thanks,

Super Bronze

modify security level

Hi,

You have not mentioned if the is any ACL on the "inside", "DMZ2" or "DMZ1" interfaces?

You stated that the "outside" interface has an ACL configured.

I would personally suggest using interface ACLs instead of purely using the "security-level" value to determine what traffic is allowed.

It seems to me that since you have stated that traffic is allowed from "outside" to "inside" with ACL that the "security-level" change wont affect anything as ACL is already controlling this traffic. Not to mention the "security-level" of "inside" will still be higher than "outside", so no change there.

If we presume that NO ACLs has been configured on "DMZ1" and "DMZ2" at the moment then their hosts are not able to open connections to "inside" at the moment. This would mean that after the "security-level" change the hosts behind "DMZ1" and "DMZ2" would be able to connect to hosts/servers behind "inside"

If we presume there IS ACLs on the "DMZ1" and "DMZ2" interfaces already at this point allowing traffic that is needed to "inside" then the "security-level" change wont have any effect as all other ASA interfaces already have ACL rules allowing the traffic no matter what the "security-level" is.

With regards to the "inside" interface, if it doesnt have any ACLs configured at the moment then after the "security-level" change no connections to either "DMZ1" or "DMZ2" can be formed from behind "inside". If there is an ACL allowing all needed traffic then the change wont affect anything.

To my understanding existing connections formed through the ASA wont be affected by the "security-level" change but any new connection will be affected after the "security-level" is changed.

- Jouni

New Member

Re: modify security level

access-group out_in in interface outside

access-group dmz_in in interface DMZ1

and,

there are no hosts on DMZ2 now.

Thanks for the detailed explanation.

VIP Green

Re: modify security level

As mentioned earlier, If you have ACLs configured on all the interfaces the security-level of the interface has no meaning.  So, changing the security-level values will not affect the flow of traffic.

--

Please remember to rate and select a correct answer
New Member

Re: modify security level

okay, I see,

thank you very much.

253
Views
0
Helpful
7
Replies
CreatePlease login to create content